Self Encrypting
Drives (Full Disk Encryption)

Cisco IMC supports
self encrypting drives (SED). A special hardware in the drives encrypts
incoming data and decrypts outgoing data in real-time. This feature is also
called Full Disk Encryption (FDE).

The data on the drive
is encrypted on its way into the drive and decrypted on its way out. However,
if you lock the drive, no security key is required to retrieve the data.

When a drive is
locked, an encryption key is created and stored internally. All data stored on
this drive is encrypted using that key, and stored in encrypted form. Once you
store the data in this manner, a security key is required in order to
un-encrypt and fetch the data from the drive. Unlocking a drive deletes that
encryption key and renders the stored data unusable. This is called a Secure
Erase. The FDE comprises a key ID and a security key.

The FDE feature
supports the following operations:

Enable and disable
security on a controller

Create a secure
virtual drive

Secure a
non-secure drive group

Unlock foreign
configuration drives

Enable security on
a physical drive (JBOD)

Clear secure SED
drives

Clear secure
foreign configuration

Creating Virtual
Drives from Unused Physical Drives

Before You Begin

You must log in with admin privileges to perform this task.

Procedure

Command or Action

Purpose

Step 1

Server#
scope chassis

Enters the
chassis command mode.

Step 2

Server /chassis
#
scope storageadapterslot

Enters command
mode for an installed storage card.

Step 3

Server
/chassis/storageadapter #
create
virtual-drive

At this point,
you are prompted to enter information corresponding to the RAID level, the
physical drives to be used, the size, enabling full disk encryption of the
drive and the write policy for the new virtual drive. Enter the appropriate
information at each prompt.

When you have
finished specifying the virtual drive information, you are prompted to confirm
that the information is correct. Enter
y (yes) to
confirm, or
n (no) to
cancel the operation.

Note

Enabling full disk encryption secures the drive.

Step 4

Server
/chassis/storageadapter #
show
virtual-drive

Displays the
existing virtual drives.

This example shows
how to create a new virtual drive that spans two unused physical drives.

At this point,
you are prompted to enter information corresponding to the virtual drives to be
used, and the size and the write policy for the new virtual drive. Enter the
appropriate information at each prompt.

When you have
finished specifying the virtual drive information, you are prompted to confirm
that the information is correct. Enter
y (yes) to
confirm, or
n (no) to
cancel the operation.

Step 4

Server
/chassis/storageadapter #
show
virtual-drive

Displays the
existing virtual drives.

This example shows
how to carve a new virtual drive out of unused space in an existing RAID 1
drive group:

Importing Foreign
Configuration

When one or more physical drives that have previously been configured
with a different controller are inserted into a server, they are identified as
foreign configurations. You can import these foreign configurations to a
controller.

Before You Begin

You must log in with admin privileges to perform this task.

Procedure

Command or Action

Purpose

Step 1

Server#
scope chassis

Enters the
chassis command mode.

Step 2

Server /chassis
#
scope storageadapterslot

Enters command
mode for an installed storage card.

Step 3

Server /chassis/storageadapter #
import-foreign-config

You are prompted to confirm the action. Enter
yes to confirm.

Note

If you do not enter
yes, the action is aborted.

This example shows how to import all foreign configurations on the
MegaRAID controller in slot 3:

Unlocking Foreign
Configuration Drives

When a set of physical drives hosting a secured drive group are
inserted into a different server or controller (or the same controller but
whose security-key has been changed while they were not present), they become
foreign configurations. Since they are secured, these foreign configurations
must be unlocked before they can be imported. The following procedure explains
how to unlock a foreign configuration drive:

Before You Begin

You must log in with admin privileges to perform this task.

Procedure

Command or Action

Purpose

Step 1

Server#
scope chassis

Enters the
chassis command mode.

Step 2

Server /chassis
#
scope storageadapterslot

Enters command
mode for an installed storage card.

Step 3

Server /chassis/storageadapter #
unlock-foreign-configuration

At the prompt, enter the security key and enter
yes at the confirmation prompt.

Clearing a Secure
Physical Drive

Clearing a secure drive converts an FDE drive from secured to
unsecured. The Physical drive status must be Unconfigured good to perform this
action. This erases the data on the physical drive. The following procedure
explains how to clear a secure SED physical drive:

Before You Begin

You must log in with admin privileges to perform this task.

Procedure

Command or Action

Purpose

Step 1

Server#
scope chassis

Enters the
chassis command mode.

Step 2

Server /chassis
#
scope storageadapterslot

Enters command
mode for an installed storage card.

Step 3

Server /chassis/storageadapter #
scope physical-drive 2

Enters the physical drive command mode.

Step 4

Server /chassis/storageadapter/physicsl-drive #
clear-secure-drive

At the confirmation prompt, enter
yes.

This clears the secure SED physical drive and all the data
will be lost.

Step 5

Server /chassis/storageadapter/physicsl-drive #
show detail

(Optional)

Displays the physical drive details.

This example shows how to clear an SED foreign configuration physical
drive:

Clearing a Secure
SED Foreign Configuration Physical Drive

Coverts a locked foreign configuration Full Disk Encryption drive to
a unsecured and unlocked drive. This erases the data on the physical drive. The
following procedure explains how to clear a secure SED foreign configuration
physical drive:

At this point, you are prompted to enter a security key, you can
either enter a security key of your choice or you can use the suggested
security key. If you choose to assign a security key of your choice, enter the
security key at the prompt.

Depending on whether you want to use the suggested security key or
a security key of your choice, enter
y (yes) to confirm, or
n (no) to cancel the operation at the
appropriate prompt.